P
US8869265B2ActiveUtilityPatentIndex 90

System and method for enforcing security policies in a virtual environment

Assignee: MCAFEE INCPriority: Aug 21, 2009Filed: Dec 21, 2012Granted: Oct 21, 2014
Est. expiryAug 21, 2029(~3.1 yrs left)· nominal 20-yr term from priority
Inventors:DANG AMITMOHINDER PREET
G06F 21/554G06F 2009/45587G06F 21/52G06F 21/51G06F 21/12G06F 9/45533H04L 63/20G06F 21/6218G06F 9/468G06F 9/45558H04L 63/10
90
PatentIndex Score
23
Cited by
375
References
17
Claims

Abstract

A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method, comprising:
 intercepting, by a security layer, a request for an execution of an object in a computer wherein the request for the execution is from a user space of a privileged domain; 
 verifying an authorization of the object by linking a particular module into a kernel space associated with the privileged domain, wherein the particular module is configured to compute a checksum for the object, access an inventory of a plurality of stored checksums in a memory element, and compare the checksum to the plurality of stored checksums; and 
 denying the execution of the object if it is not authorized; 
 wherein the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment, wherein the privileged domain of the computer manages a virtual machine monitor (VMM) and operates at a higher priority than one or more guest operating systems. 
 
     
     
       2. The method of  claim 1 , further comprising:
 evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. 
 
     
     
       3. The method of  claim 1 , further comprising:
 intercepting an attempt from a remote computer to execute code from a previously authorized binary; and 
 evaluating an origination address of a hypercall associated with the code before executing the code. 
 
     
     
       4. The method of  claim 1 , wherein the object is a kernel module or a binary. 
     
     
       5. The method of  claim 1 , wherein the verifying of the authorization of the object includes comparing the object to an inventory of authorized objects stored in a user space of the computer, and wherein a log is created if the execution of the object is not authorized. 
     
     
       6. The method of  claim 1 , wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer. 
     
     
       7. A logic encoded in one or more tangible non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising:
 intercepting, by a security layer, a request for an execution of an object in a computer wherein the request for the execution is from a user space of a privileged domain; 
 verifying an authorization of the object by linking a particular module into a kernel space associated with the privileged domain, wherein the particular module is configured to compute a checksum for the object, access an inventory of a plurality of stored checksums in a memory element, and compare the checksum to the plurality of stored checksums; and 
 denying the execution of the object if it is not authorized; 
 wherein the security layer is configured to operate in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment, wherein the privileged domain of the computer is configured to manage a virtual machine monitor (VMM) and operate at a higher priority than one or more guest operating systems. 
 
     
     
       8. The logic of  claim 7 , the processor being operable to perform operations comprising:
 evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. 
 
     
     
       9. The logic of  claim 7 , the processor being operable to perform operations comprising:
 intercepting an attempt from a remote computer to execute code from a previously authorized binary; and 
 evaluating an origination address of a hypercall associated with the code before executing the code. 
 
     
     
       10. The logic of  claim 7 , wherein the object is a kernel module or a binary. 
     
     
       11. The logic of  claim 7 , wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer. 
     
     
       12. The logic of  claim 7 , wherein the verifying of the authorization of the object includes comparing the object to an inventory of authorized objects stored in a user space of the computer, and wherein a log is created if the execution of the object is not authorized. 
     
     
       13. An apparatus, comprising:
 a virtual machine element; 
 a memory element configured to store data; and 
 a processor operable to execute instructions associated with the data, wherein the virtual machine element is configured to: 
 intercept, by a security layer, a request for an execution of an object in a computer wherein the request for the execution is from a user space of a privileged domain; 
 verify an authorization of the object by linking a particular module into a kernel space associated with the privileged domain, wherein the particular module is configured to compute a checksum for the object, access an inventory of a plurality of stored checksums in a memory element, and compare the checksum to the plurality of stored checksums; and 
 deny the execution of the object if it is not authorized; 
 wherein the security layer is configured to operate in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment, wherein the privileged domain of the computer is configured to manage a virtual machine monitor (VMM) and operate at a higher priority than one or more guest operating systems. 
 
     
     
       14. The apparatus of  claim 13 , wherein the virtual machine element is further configured to:
 evaluate a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. 
 
     
     
       15. The apparatus of  claim 13 , wherein the virtual machine element is further configured to:
 intercept an attempt from a remote computer to execute code from a previously authorized binary; and 
 evaluate an origination address of a hypercall associated with the code before executing the code. 
 
     
     
       16. The apparatus of  claim 13 , wherein the object is a kernel module or a binary. 
     
     
       17. The apparatus of  claim 13 , wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.